Skip to main content
SpringerLink
Log in

Analysis of NetFlow Features’ Importance in Malicious Network Traffic Detection

  • Conference paper
  • First Online:
14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational (CISIS 2021 and ICEUTE 2021) (CISIS - ICEUTE 2021)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1400))

Abstract

Malicious traffic detection allows for preventing cybersecurity-related threats. Machine learning algorithms are commonly used to detect such traffic in computer networks by analyzing packets. In wide-area networks, such as RedCAYLE (Red de Ciencia y Tecnología de Castilla y León), it is not possible to analyze every packet routed. So we pose that in such networks sampled flow data may be used to provide malicious traffic detection. This work presents the analysis carried out of the relevance that every NetFlow feature has in the K-Nearest Neighbors (KNN) algorithm in order to detect malicious traffic. Validation of the model has been carried out with real network data from RedCAYLE. Results show that it is necessary to train the models with sampled flow data. They also show that the nexthop feature has a negative influence on malicious traffic detection in wide-area networks such as RedCAYLE.

The research described in this article has been partially funded by Instituto Nacional de Ciberseguridad de España (INCIBE), under the grant “ADENDA 4: detección de nuevas amenazas y patrones desconocidos (red Regional de Ciencia y Tecnología)”, addendum to the framework agreement INCIBE-Universidad de León, 2019–2021; the Spanish Ministry of Science, Innovation, and Universities RTI2018-100683-B-I00 grant; and the regional Government of Castilla y León under the grant BDNS (487971).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Boukhamla, A., Coronel, J.: CICIDS 2017 dataset: performance improvements and validation as a robust intrusion detection system testbed. Int. J. Inform. Comput. Secur. 9 (2018)

    Google Scholar 

  2. Campazas-Vega, A., Crespo-Martínez, I.: Source code DOROTHEA attacks generation. https://niebla.unileon.es/cybersecurity/dorothea/-/tree/master/labs/lab_attacks/attacks. Accessed 13 Mar 2021

  3. Campazas-Vega, A., Crespo-Martínez, I.: Source code DOROTHEA normal traffic generation. https://niebla.unileon.es/cybersecurity/dorothea/-/tree/master/labs/lab_normal/generator/generate-traffic. Accessed 13 Mar 2021

  4. Campazas-Vega, A., Crespo-Martínez, I.S., Guerrero-Higueras, Á.M., Fernández-Llamas, C.: Flow-data gathering using netflow sensors for fitting malicious-traffic detection models. Sensors 20(24), 7294 (2020)

    Article  Google Scholar 

  5. Cisco: About Cisco (2021). https://www.cisco.com/. Accessed 13 Mar 2021

  6. Claise, B., Zander, S.: Network working group J. Quittek Request for Comments: 3917 nec europe ltd. category: Informational t. zseby fraunhofer fokus (2004)

    Google Scholar 

  7. Claise, B., Sadasivan, G., Valluri, V., Djernaes, M.: Cisco systems netflow services export version 9 (2004)

    Google Scholar 

  8. Claise, B., Trammell, B., Aitken, P.: Specification of the IP flow information export (ipfix) protocol for the exchange of flow information. RFC 7011 (Internet Standard), Internet Engineering Task Force, pp. 2070–1721 (2013)

    Google Scholar 

  9. Fernández, A.G., et al.: Evaluación del resultado académico de los estudiantes a partir del análisis del uso de los sistemas de control de versiones. RIED. Rev. Iberoamericana Educación a Dist. 23(2), 127–145 (2020)

    Google Scholar 

  10. Guerrero-Higueras, Á.M., Campazas-Vega, A., Crespo-Martínez, I.S.: Module evaluator (moev). Technical report, Robotics group, Universidad de León (2020). https://doi.org/10.5281/zenodo.4114127

  11. Guerrero-Higueras, Á.M., DeCastro-García, N., Matellán, V.: Detection of cyber-attacks to indoor real time localization systems for autonomous robots. Robot. Auton. Syst. 99, 75–83 (2018)

    Article  Google Scholar 

  12. Guerrero-Higueras, Á.M., DeCastro-García, N., Rodriguez-Lera, F.J., Matellán, V., Conde, M.Á.: Predicting academic success through students’ interaction with version control systems. Open Compu. Sci. 9(1), 243–251 (2019)

    Article  Google Scholar 

  13. Guerrero-Higueras, Á.M., Fernández Llamas, C., Sánchez González, L., Gutierrez Fernández, A., Esteban Costales, G., González, M.Á.C.: Academic success assessment through version control systems. Appl. Sci. 10(4), 1492 (2020)

    Google Scholar 

  14. ipt\(\_\)NetFlow: Source code ipt\(\_\)NetFlow. https://github.com/aabc/ipt-NetFlow. Accessed 13 Mar 2021

  15. Lyon, G.F.: Nmap network scanning: the official Nmap project guide to network discovery and security scanning. Insecure (2009)

    Google Scholar 

  16. Nawir, M., Amir, A., Lynn, O.B., Yaakob, N., Ahmad, R.B.: Performances of machine learning algorithms for binary classification of network anomaly detection system. In: Journal of Physics: Conference Series. vol. 1018, p. 012015 (2018)

    Google Scholar 

  17. Nawir, M., Amir, A., Yaakob, N., Lynn, O.B.: Effective and efficient network anomaly detection system using machine learning algorithm. Bull. Electr. Eng. Inform. 8(1), 46–51 (2019)

    Article  Google Scholar 

  18. Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-preserving payload-based correlation for accurate malicious traffic detection. In: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, pp. 99–106 (2006)

    Google Scholar 

  19. Pena, E.H.M., Barbon, S., Rodrigues, J.J.P.C., Proença, M.L.: Anomaly detection using digital signature of network segment with adaptive ARIMA model and paraconsistent logic. In: 2014 IEEE Symposium on Computers and Communications (ISCC), pp. 1–6 (2014). https://doi.org/10.1109/ISCC.2014.6912503

  20. Python: About python (2021). https://www.python.org/about/. Accessed 13 Mar 2021

  21. RedIRIRS: About redirirs (2021). https://www.rediris.es/rediris/index.html.es. Accessed 13 Mar 2021

  22. Sobrín-Hidalgo, D., Campazas Vega, A., Guerrero Higueras, Á.M., Rodríguez Lera, F.J., Fernández-Llamas, C.: Systematic mapping of detection techniques for advanced persistent threats. In: Herrero, Á., Cambra, C., Urda, D., Sedano, J., Quintián, H., Corchado, E. (eds.) CISIS 2019. AISC, vol. 1267, pp. 426–435. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-57805-3_40

    Chapter  Google Scholar 

  23. Tama, B.A., Comuzzi, M., Rhee, K.H.: TSE-IDS: a two-stage classifier ensemble for intelligent anomaly-based intrusion detection system. IEEE Access 7, 94497–94507 (2019). https://doi.org/10.1109/ACCESS.2019.2928048

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Robotics Group, University of León, Campus de Vegazana S/N, 24071, León, Spain

    Adrián Campazas-Vega, Ignacio Samuel Crespo-Martínez, Ángel Manuel Guerrero-Higueras & Claudia Álvarez-Aparicio

  2. Supercomputación Castilla y León (SCAyLE), Campus de Vegazana S/N, 24071, León, Spain

    Vicente Matellán

Authors
  1. Adrián Campazas-Vega
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ignacio Samuel Crespo-Martínez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ángel Manuel Guerrero-Higueras
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Claudia Álvarez-Aparicio
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Vicente Matellán
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adrián Campazas-Vega .

Editor information

Editors and Affiliations

  1. Department of Computing, Electronics and Communication Technologies, University of Deusto, Bilbao, Spain

    Juan José Gude Prego

  2. Department of Computing, Electronics and Communication Technologies, University of Deusto, Bilbao, Spain

    José Gaviria de la Puerta

  3. Department of Mechanics, Design and Industrial Management, University of Deusto, Bilbao, Spain

    Pablo García Bringas

  4. Department of Industrial Engineering, University of A Coruña, Ferrol, Spain

    Héctor Quintián

  5. BISITE Research Group, University of Salamanca, Salamanca, Spain

    Emilio Corchado

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Campazas-Vega, A., Crespo-Martínez, I.S., Guerrero-Higueras, Á.M., Álvarez-Aparicio, C., Matellán, V. (2022). Analysis of NetFlow Features’ Importance in Malicious Network Traffic Detection. In: Gude Prego, J.J., de la Puerta, J.G., García Bringas, P., Quintián, H., Corchado, E. (eds) 14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational (CISIS 2021 and ICEUTE 2021). CISIS - ICEUTE 2021. Advances in Intelligent Systems and Computing, vol 1400. Springer, Cham. https://doi.org/10.1007/978-3-030-87872-6_6

Download citation

Publish with us

Policies and ethics

Search

Navigation